Is your VPN service leaking your sensitive data?

Researchers have recently discovered critical vulnerabilities in popular virtual private network (VPN) services that potentially could leak consumers’ IP addresses or other personal and sensitive data.[1]

VPN services are used to protect online activities. It works by encrypting user’s data, increasing privacy, and obscuring actual IP address. Some users choose to use VPN services in order to increase their anonymity and private information security and hide their real IP addresses to avoid censorship and access blocked websites.

However, a team of ethical hackers has recently detected that three popular VPN services – HotSpot Shield, PureVPN, and Zenmate – that have millions of customers across the globe, are vulnerable to some bugs that potentially can leak users’ IP addresses and other sensitive data. The team of ethical hackers was hired by VPN Mentor, a privacy advocate firm.

One of the team member, application security researcher Paulos Yibelo, another one is an ethical hacker well known for his alias ‘File Descriptor’ and currently working for Cure53. However, the identity of the third one has not been revealed.[2]

Findings

According to the investigation, a series of privacy tests on all these VPN services revealed that all three tested VPN services are vulnerable and might leak their customers’ real IP addresses.

The leaks allow governments, hostile organizations, or individuals to identify the actual IP address of a user, even with the use of the VPNs.

According to the research team, the flaws detected in ZenMate VPN were less severe than other two VPN service providers HotSpot Shield and PureVPN.

Vulnerabilities that were detected in AnchorFree’s HotSpot Shield have been already patched by the company included the following

Hijack all traffic (CVE-2018-7879)

DNS lean (CVE-2018-7878)

Real IP address leak (CVE-2018-7880)

It is worth to mention that all these three flaws detected in HotSpot Shield’s Google Chrome plug-in. There were any vulnerabilities detected in the desktop or smartphone applications.

According to VPN Mentor, similar vulnerabilities were also detected in the Chrome plug-ins of Zenmate and PureVPN. However, neither Zenmate nor PureVPN have fixed those vulnerabilities, that is why they cannot be uncovered yet. Researchers only shared the information about fixed issues.

In addition, it was noted that most other VPN services likely include similar issues.

We believe that most other VPNs suffer from similar issues, so the fast response of Hotspot Shield is something we think is worth commending. We felt that they worked with our research team in a fast and serious manner and that they care for their users. They took our research as help for improvement rather than criticism.

About the author

Tomas Statkus
- Team leader

Tomas Statkus is an IT specialist, the team leader, and the founder of Reviewedbypro.com. He has worked in the IT area for over 10 years.